By Nicholas Welsh, an intern in the Lowy Institute's International Security Program.
In April, Prime Minister Turnbull unveiled the National Cyber Security Strategy, outlining five key themes of action to improve Australia's cyber-security capabilities and meet the dual challenges of 'advancing and protecting our interests online'. Just over three months later, the collapse of the census website, attributed (at least in part) to a series of distributed denial of service attacks from international sources demonstrated why we need such a strategy.
Cyber-crime is a difficult challenge for any government. The anonymous nature of the internet makes it difficult to find the individuals behind online activities, and the legal hurdles to convicting perpetrators (particularly if they are suspected to be overseas) are considerable, given cyber-laws vary greatly. The National Cyber Security Strategy will help to ensure Australian cyber-defence capabilities are, at the very least, in step with global technological advances But national-level defence can only go so far in a realm where Australia's geographical isolation and border protection efforts are, in essence, immaterial.
The third of the five themes, titled 'Global Responsibility and Influence', seeks to partner with international law enforcement and intelligence agencies to 'build cyber capacity to prevent and shut down safe havens for cyber criminals'. With the proximity of the INTERPOL Global Complex for Innovation (IGCI) established in Singapore in 2014, Australia and the Asia-Pacific region finds itself in a somewhat unique position to combat the rise of cyber-crime on a level beyond the national. The IGCI's cyber-focussed mandate and capacity building role complements the goals of the strategy nicely, but the extent to which the IGCI has, over the past two years, installed itself as indispensable in all cybercrime matters is debatable.
Since the IGCI's establishment, the Australian Federal Police Force (AFP) has embedded officers in the Singapore complex, allowing them to use an extensive network of cyber expertise and personnel training programmes, both for regional and domestic benefit. Despite such benefits, the lack of any operational mandate for the IGCI means that bilateral (and increasingly multilateral) relationships between national police forces remain more valuable, and so cooperation and intel sharing among regional state law enforcement agencies remains compartmentalised.
Governments around the world commonly reference the difficulty of tackling a transnational issue like cybercrime alone and push a narrative of cooperation between national law enforcement agencies, as evidenced in the third theme of the cyber security strategy. In this context, the IGCI, which offers a pre-existing structure to facilitate the construction of a multilateral, regional framework for tackling cybercrime, would seem to be an under-used resource on Australia's doorstep. Even without an operational mandate, the central coordination role that the IGCI could play in organising and sharing cybercrime intel equally among regional law-enforcement agencies has the potential to provide the Asia-Pacific region with a technological and informational advantage that states lack when acting alone. [fold]
While the current lack of extensive regional engagement with the IGCI may be in part due to its youth, the greatest hurdle to creating such a regional framework would be, as ever, political. Technological advances in the cyber-sphere are dual use by nature; increases in one state's capacity to combat cybercrime could be seen as a threat against another's cybersecurity. The IGCI is a non-political entity but it will still find it hard to convince governments the benefits of integrated cooperation to combat cybercrime outweigh the risks their own security will be undermined in the event of a state-sanctioned cyber-attack. Emphasising the reverse of the dual-use argument would be key. Any expertise gained by tackling cybercrime can also be applied to improving national cyber-defences, just as much as it could be used to improve offensive cyber-capabilities.
At this stage it looks unlikely the IGCI will evolve to have an operational mandate in conjunction with its coordination role. Transnational policing operations remain bilateral and multilateral, and so AFP regional engagement must seek to maintain and improve these individual state-level relations. However, the capacity for combating cyber-crime offered by the IGCI offers a potential regional coordination mechanism unique to the Asia-Pacific region. Given that the publicity of the census collapse has brought cyber-security to the forefront of public debate, investing in the development of such a mechanism is looking increasingly attractive.
Photo courtesy of Flickr user Tom Blackwell